The House Committee on Education and the Workforce recently announced the introduction of a bill to amend FERPA. The Student Privacy Protection Act (H.R. 3157) has bipartisan support and is intended to modernize privacy protections, improve communication, and “hold schools, states and independent entities accountable for their use of student information.”

I’m pulling out a few of the changes Cornelison notes that are particularly significant, I think:

Prescribing additional security practices. The bill would require educational agencies and institutions and the SEA to designate an official responsible for maintaining security of their education records. They are to require any party given access to such records to have similar security practices and are to establish a notification policy in the event of a breach of their policies regarding the security of the education records they hold or maintain. This requires notification of the breach to parents or eligible students be made within three days of becoming aware of the breach.

Changing the “school official” exception for non-consensual disclosures. Per the regulations implementing the current version of FERPA, a “school official” is defined to include a “contractor, consultant, volunteer or other party to whom an agency or institution has outsourced institutional services or functions” subject to certain conditions. The bill, however, would limit this exception expressly to school officials, including teachers. However, it would then create a new exception for “an education service provider, contractor, consultant, volunteer, or other party” having legitimate educational interest and to whom the institution or agency has outsourced a function or service. It includes the conditions currently in the regulation for this exception to apply, but would add additional ones as well. Specifically, the bill would require that there be a written agreement with any such entity or individual that addresses the protection of the information being disclosed and specifies a number of provisions such an agreement is to address, including a description of any subcontractor or other person acting for the party and the penalties for a security breach in violation of the agreement.

Including a ban on marketing and advertising. The bill prohibits any “person with access to an education record or a student’s personally identifiable information contained in the education record” from marketing or otherwise advertising directly to students using information gained through that access. Some limited exceptions are provided such as for school pictures, class rings, yearbooks and similar school-sanctioned commemorative products, events or activities.

Authorizing the imposition of penalties. The bill would authorize the Secretary of Education to impose fines upon educational agencies or institutions and the SEA for failures to voluntarily comply or for substantial violations. The fine is to be a minimum of $100, but depending on the severity of the violation can go to a maximum of $1.5 million.

Contact Me

Reach me via email to admin[at]pogowasright.org or to breaches[at]protontomail.ch.
You can find me on Twitter as @pogowasright.
I'm also on Jabber as [email protected]
If you know about a breach that should be included on this site or need to contact me about another matter, e-mail me: admin[at]databreaches.net
Alternate Email: breaches[at]protonmail.ch.
Need Signal for tips or leaks? It's available, as is Ricochet for IM. Ask.